Rorschach ransomware deployed by misusing a security tool
An unbranded ransomware strain that recently hit a US-based company is being deployed by attackers who are misusing a tool included in a commercial security product, Check Point researchers have found.
The solution in question is Palo Alto Networks’ Cortex XDR, whose Dump Service Tool the attackers appropriated and are now misusing to side-load the DLL that decrypts and injects the (newly labeled) Rorschach ransomware.
Rorschach’s execution flow (Source: Check Point)
The peculiarities of Rorschach ransomware
Previously analyzed by ASEC AhnLab’s researchers, the Rorschach ransomware has some typical and some unique features:
- It’s somewhat autonomous. It can spread itself automatically when executed on a Domain Controller (DC), where it creates a group policy that puts copies of itself on all workstations, then one that kills specific processes, and finally one that registers a scheduled task that will run the main executable
- It clears Windows event logs on affected machines, disables the Windows firewall, and deletes shadow volumes and backups (to make data recovery more difficult)
- It has a hard-coded configuration but has additional capabilities that can be deployed via different command line arguments (e.g., the operator can choose not to change the wallpaper of the infected machine or deliver a ransom note, or make it so that a password is needed to run the sample)
- It uses a cryptography scheme that combines the curve25519 and eSTREAM cipher hc-128 algorithms, encrypts only part of the files, and uses very effective thread scheduling. This all results in file encryption at lightning speed.
But perhaps the most interesting thing about it is how it’s delivered and deployed.
“The cybercriminals are using the Cortex XDR’s Dump Service Tool as a standalone tool they deliver themselves,” Sergey Shykevich, Threat Intelligence Group Manager at Check Point, told Help Net Security.
In the case they observed, the attackers brought to the victim’s machine a ZIP file that includes three files: cy.exe (Cortex XDR Dump Service Tool version 22.214.171.12440), which is is abused to side-load into memory winutils.dll (packed Rorschach loader and injector) and config.ini (encrypted Rorschach ransomware containing all the logic and configuration).
“The main Rorschach payload config.ini is subsequently loaded into memory as well, decrypted and injected into notepad.exe, where the ransomware logic begins,” the researchers explained.
They did not say how the attackers delivered the malicious ZIP file onto the target organization’s system, nor whether the threat was found on more than one system.
“Rorschach does not exhibit any clear-cut overlaps with any of the known ransomware groups but does appear to draw inspiration from some of them,” the researchers noted.
What’s certain is that the ransomware won’t run on machines where the default language/script points to the user being located in or is from a CIS country.
Palo Alto Networks reacts
Palo Alto Networks (PAN) has confirmed that “when removed from its installation directory, the Cortex XDR Dump Service Tool (cydump.exe), which is included with Cortex XDR agent on Windows, can be used to load untrusted dynamic link libraries (DLLs).”
The copy of the tool used by the threat actor is named cy.exe but, according to Shykevich, the original filename information is still presented in the version information resource of the binary.
PAN says that systems running the Cortex XDR agent versions 7.7, 7.8 and 7.9 with CU-240 and later content updates detect and block this ransomware, and that a new content update will be released next week to prevent the misuse of their software and detect and prevent this DLL side-loading technique.
“Rorschach ransomware uses a copy of Cortex XDR Dump Service Tool and this DLL side-loading technique to evade detection on systems that do not have sufficient endpoint protection. This poses the same risk as other malware utilizing DLL side-loading techniques,” they added.